From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 17:17:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9409416A481 for ; Thu, 29 Mar 2007 17:17:35 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: from qsmtp3.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id 7684613C44B for ; Thu, 29 Mar 2007 17:17:35 +0000 (UTC) (envelope-from drew@mykitchentable.net) Received: (qmail 23412 invoked from network); 29 Mar 2007 10:17:35 -0700 Received: by simscan 1.1.0 ppid: 23361, pid: 23363, t: 7.5842s scanners: regex: 1.1.0 attach: 1.1.0 clamav: 0.84/m:42/d:2665 spam: 3.0.3 Received: from unknown (HELO blacklamb.mykitchentable.net) (66.205.146.210) by qsmtp3 with SMTP; 29 Mar 2007 10:17:27 -0700 Received: from [165.107.42.123] (unknown [198.135.224.110]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by blacklamb.mykitchentable.net (Postfix) with ESMTP id BC0971648AA; Thu, 29 Mar 2007 10:17:11 -0700 (PDT) Message-ID: <460BF4A0.1090502@mykitchentable.net> Date: Thu, 29 Mar 2007 10:17:20 -0700 From: Drew Tomlinson User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Greg Hennessy References: <460AA59C.2000704@mykitchentable.net> <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> In-Reply-To: <000301c77173$8265dd00$87319700$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on qsmtp3.surewest.net X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_00, RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_WEB autolearn=no version=3.0.3 Cc: freebsd-pf@freebsd.org Subject: Re: Why Does This Packet Match This Rule? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 17:17:35 -0000 On 3/28/2007 12:58 PM Greg Hennessy wrote: >> (and the rest). What am I missing? >> > > From the rule snippets posted, 'keep state' & 'keep state flags S/SA' comes > to mind. > > You should endeavour to keep state on each and every rule and only establish > tcp state on the 3 way handshake. > Thank you for your reply. I have been unsuccessful in getting queuing to work the way I want. I want to queue outbound traffic to the ADSL modem so I can prioritize my packets. Specifically, I have a VoIP phone from SunRocket. It's traffic should be able to use bandwidth before any other. Then beyond that, I'd like second priority to go to interactive traffic such as http and ssh. Third priority would be a standard queue where most traffic ends up. Finally I'd like to have a low priority queue for file transfers like FTP and bittornet. To this end, I attempted to queue only traffic leaving my router on dc1 and keep state there so the queue will continue to be used. When I add keep state to traffic entering the router, it seems that state is matched there and thus the traffic never gets queued. Thus this is why only rule 84 has keep state as it's the rule that should match packets as they leave the router destined for the Internet. But I must admit that I am quite confused about how all of this should work. Thus I am very open to suggestions on better ways to accomplish my goals. I am willing to rewrite my whole conf file to get it right. In fact I'm working on my latest rewrite now. :) >> If it helps, I also posted my complete pf.conf and the rules to which >> it >> expands at http://drew.mykitchentable.net/Temp/pf.conf.htm >> > > Not seeing this, connection times out. > My apologies. You can see it now as I reverted to my old conf file (not the one on which I am currently working). > What exactly are you trying to do with what looks like a SoHo policy > expanding into > 80 rules ? > Basically: 1. Allow all outbound traffic from my internal net (dc0) to the Internet (dc1). 2. Allow traffic from the Internet to services hosted on my internal net. 3. Allow traffic between a OpenVPN connection on tun0 and my internal net 4. Prioritize traffic as described above. 5. And if possible, get pf to work with Snort to block packets matching Snort rules I specify. However I am trying to just get pf working to my liking at this point. I will investigate Snort integration later. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com